There were 2 security related bugs fixed and released in Grid Engine today:
- Code injection via LD_* environment variables
- sgepasswd buffer overflow
Oracle fixed both of them in their CPU (Critical Patch Update) release
for Oracle Grid Engine this afternoon.
For Sun Grid Engine (6.2u5) and Open Grid Scheduler/Grid Engine, visit:
http://gridscheduler.sourceforge.net/security.html
The first one was found by William Hay back in Nov 2011. And the
second one was reported by an outside security researcher to Oracle.
The details of the bug were passed onto me, and we (all the Grid
Engine forks) decided that we should share any security related
information instead of putting it in marketing slides.
Download patches and pre-compiled binaries for:
- SGE 6.2u5, 6.2u5p1, 6.2u5p2
- Open Grid Scheduler/Grid Engine 2011.11
from the URL above.
To apply the patches, just replace the older version of the binaries
with the newer version.
Rayson
=================================
Open Grid Scheduler / Grid Engine
http://gridscheduler.sourceforge.net/
Scalable Grid Engine Support Program
http://www.scalablelogic.com/